package cn.tedu;

import java.sql.*;
import java.util.Scanner;

public class Demo03 {
    public static void main(String[] args) {
        Scanner scanner = new Scanner(System.in);
        System.out.println("请输入用户名");
        String username = scanner.nextLine();
        System.out.println("请输入密码");
        String password = scanner.nextLine();
        try {
            Connection conn = DBUtils.getConn();
          /*  Statement s = conn.createStatement();
            ResultSet rs = s.executeQuery("select count(*) from user where username='"
                    +username+"' and password='"+password+"'");*/
            //通过PreparedStatement(带有预编译效果的执行SQL语句的对象) 解决SQL注入的漏洞
            //编译时用户输入的内容还不在SQL语句中,此时编译可以将SQL业务逻辑锁死,用户输入的内容
            //只能以值的方式添加到SQL中, 这样原有逻辑不会被改变,这样就解决了SQL注入的问题
            String sql="select  count (*) from user where  username=? and password=?";
            PreparedStatement ps=conn.prepareStatement(sql);
            ps.setString(1,username);
            ps.setString(2,password);
            ResultSet rs=ps.executeQuery();
            rs.next();
            int count = rs.getInt(1);
            if (count > 0) {
                System.out.println("登录成功");
            } else {
                System.out.println("用户名或密码错误!");
            }
        } catch (SQLException throwables) {
            throwables.printStackTrace();
        }

    }
}
